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ABSTRACT 

The Take-Grant Protection Model has in the past been used to model multilevel se- 
curity hierarchies and simple protection systems. The models are extended to in- 
clude theft of rights and sharing of information, and additional security policies are 
examined. The analysis suggests that in some cases the basic rules of the Take- 
Grant Protection Model should be augmented to represent the policy properly; 
when appropriate, such modifications are made and their effects with respect to the 
policy and its Take-Grant representation are discussed. 

Keywords: theoretical foundations, Take-Grant Protection Model, security policy, 
isolation, multilevel security. 

1. Introduction 

The Take-Grant Protection Model [12][15] is one of a number of abstract formulations of 
protection systems. Like other such models, it is primarily a theoretical tool used to analyze the 
safety question; unlike other models, it presents a framework in which that question is answered 
“yes,” and enables the derivation of results indicating the conditions under which rights can be 
transferred as well as the complexity of determining whether or not those conditions hold in a par- 
ticular system. Because of these characteristics, if it could be used to analyze an abstract model of 
an existing or proposed system, it would be possible either to prove in that model that rights could 
be transferred, or that they could not be. 

In this, it differs from other formal models of protection. The access control matrix model 
[8][10][14] is a matrix-oriented description of the rights that subjects, or actors, have over objects , 
or passive entities. It is a very general model that does not constrain in any way the set of com- 
mands that may be used to manipulate rights. As one would expect, answering the safety question 
using such a system is quite complex, and for the most general case, it is undecidable. However, if 
the commands are mono-conditional (or monooperational), the safety question can be answered. 
The difference between this model and Take-Grant is that Take-Grant explicitly states four rules 
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controlling the propagation of rights, and four rules and information, and so — even though those 
rules are not mono-operational — the safety question can be answered. 

The schematic protection model [17] is another model of protection which, like the access 
control matrix model, focuses on the issue of being able to answer the safety question and not de- 
termining necessary and sufficient conditions for sharing rights or information. Like the access 
control matrix model, it presumes no rules for propagation of rights, and ignores completely the 
questions of theft of rights and propagation of information. 

Those questions have been studied extensively in the Take-Grant Protection Model. Work 
by Snyder [20] on the transfer of rights without the cooperation of the owner of those rights ex- 
tended the results about sharing to situations of theft; work by Snyder and Bishop [4] introduced 
the notion of information flow and transfer into the model, and recent work by Bishop [3] presented 
results about the theft of information. Bishop [2], Jones [11], Snyder [18], and Wu [21] have ap- 
plied the model to some existing computer systems and simple security policies. The contribution 
of this paper is the expansion of some of those representations to include theft of rights and the 
sharing of information as well as representing some new policies. We begin by briefly reviewing 
the Take-Grant Protection Model, and then derive a simplification of one of those results, which 
will make analysis of the security policies in the following section much simpler. We analyze the 
security policies of complete isolation, the owner having the ability to share rights nd information, 
a multilevel security policy, and a tree-based hierarchical policy such as is found in many computer 
systems. Finally, we conclude with some discussion and suggestions for future work. 

2. The Basic Take-Grant Protection Model 

We present this section as background into the model; the reader desiring a more complete 
presentation should turn to the references. On the other hand, the reader familiar with the model is 
encouraged to turn to the next section! 

The Take-Grant Protection Model represents systems as graphs. The vertices are of two col- 
ors: subjects correspond to the active nodes such as processes, and objects correspond to the pas- 
sive entities as files. (In modelling a system, representing an entity may not be straightforward; for 
example, a segment of memory might be an object when not in use, but a subject when being exe- 
cuted. We treat this as a point of interpretation and hence beyond the scope of this paper.) Edges 
connecting these nodes are labelled with sets of rights; these sets are subsets of a finite set of rights 
which for this description we shall take to be R = {t,g,r,w} , where t represents the take right. 
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g the grant right , r the read right, and w the write right. Application of the rights is modelled by 
applying graph rewriting rules, which either change the protection state of the graph( dejure rules) 
or provide a representation of how information flows throughout the system (de facto rules). 

In protection graphs, the subjects arc represented by • and objects by O. Vertices which 
may be either subjects or objects are represented by ®. Pictures are very often used to show the 
effects of applying a graph rewriting rule on the graph; the symbol I- is used to mean that the graph 
following it is produced by the action of a graph rewriting rule on the graph preceding it. The sym- 
bol I-* represents several rule applications. The term witness means a sequence of graph rewriting 
rules which produce the predicate or condition being witnessed, and a witness is often demonstrat- 
ed by listing the graph rewriting rules that make up the witness (usually with pictures). 

The de jure rules manipulate edges (and vertices) in the graph. They are: 

take : Let x, y, and z be three distinct vertices in a protection graph Gq, and let x be a subject Let 

there be an edge from x to y labelled y with re y, an edge from y to z labelled p, and a c p. 

. Then the take rule defines a new graph G\ by adding an edge to the protection graph from 
x to z labelled a. Graphically, 


a 



The rule is written “x takes (a to z) from y.” 

grant : Let x, y, and z be three distinct vertices in a protection graph Gq, and let x be a subject Let 
there be an edge from x to y labelled y with g e y, an edge from x to z labelled P, and a £ p. 
Then the grant rule defines a new graph G\ by adding an edge to the protection graph from 
x to z labelled a. Graphically, 


a 



The rule is written “x grants (a to z) to y.” 
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create : Let x be any subject in a protection graph G 0 and let ac/?. Create defines a new graph Gj 
by adding a new vertex y to the graph and an edge from x to y labelled a. Graphically, 


The rule is written “x creates (a to new vertex) y.” 

remove: Let x and y be any distinct vertices in a protection graph G j such that x is a subject. Let 
there be an explicit edge from x to y labelled [3, and let a c /?. Then remove defines a new 
graph G\ by deleting the a labels from |3. If (3 becomes empty as a result, the edge itself is 
deleted. Graphically, 


P 


►< 8 > 

z 


\~ 




X * X* 

The rule is written “x removes (a to) y.” 

The edges which appear in the above graph are called explicit because they represent au- 
thority known to the protection system. Note that there is a duality between the take and grant rules 
when the edge labelled t or g is between two subjects. Specifically, with the cooperation of both 
subjects, rights can be transmitted backwards along the edges. The following two lemmata [12] 
demonstrate this: 


Lemma 1. 


a 



h* 


Lemma 2. 




h* 


As a result, when considering the transfer of authority between cooperating subjects, nei- 
ther direction nor label of the edge is important, so long as the label is in the set { t, g } . 

Definition. A tg-path is a nonempty sequence vq, .... v„ of distinct vertices such that for all 
0 5» i < a , Vj is connected to v, +1 by an edge (in either direction) with a label containing r or g. 

Note that the vertices in a tg-path may be either subjects or objects. 
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Definition. Vertices are tg-connected if there is a tg-path between them. 

Definition. An island is a maximal tg-connected subject-only subgraph. 

Any right that one vertex in an island has can be obtained by any other vertex in that island. 
In other words, an island is a maximal set of subjects which possess common rights. With each tg- 
path, associate one or more words over the alphabet {f, i, $, g} in the obvious way. If the path has 
length 0, then the associated word is the null word v. 

Definition. A vertex vq initially spans to v„ if vq is a subject and there is a tg-path between v 0 and 
v„ with associated word in {f*|} u {v} . 

Definition. A vertex v 0 terminally spans to v„ if vq is a subject and there is a tg-path between v 0 
and v R with associated word in { )* } . 

Definition. A bridge is a tg-path with vq and v„ both subjects and the path’s associated word in 

{>*,/*, >*!/*}• 

The following predicate formally defines the notion of transferring authority. 

Definition. The predicate can*share(a, x, y, Gq) is true for a set of rights a and two vertices x and 
y if and only if there exist protection graphs Gj, . . ., G n such that Gq I -*G n using only de jure rules, 
and in G„ there is an edge from x to y labelled a. 

In short, if x can acquire a rights over y, then can*share( a, x, y, Gq) is true. The theorem 
which establishes necessary and sufficient conditions for this predicate to hold is [15]: 

Theorem 3. The predicate can*share{ a, x, y, Gq) is true if and only if there is an edge from x to y 
in Gq labelled a, or if the following hold simultaneously: 

(3.1) there is a vertex s e G 0 with an s-to-y edge labelled a; 

(3.2) there exists a subject vertex x' such that x' = x or x' initially spans to x; 

(3.3) there exists a subject vertex s' such that s' = s or s' terminally spans to s; and 

(3.4) there exist islands I\, such that p' is in I\, s' is in /„, and there is a bridge from 
/ ; -to/y +1 (1 £j< n). 

Finally, if the right can be transferred without any vertex which has that right applying a 
rule, the right is said to be stolen. Formally: 

Definition. The predicate can»steal( a, x, y, Gq) is true if and only if there is no edge labelled a from 
x to y in Gq, there exist protection graphs Gj, .... G n such that Gq f-*G„ using only de jure rules, 
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in G n there is an edge from x to y labelled a, and if there is an edge labelled a from s to q in Gq, 
then no rule has the form u s grants (a to q) to z” for any z e Gj (1 £j < n). 

Essentially, this says that ccupsteal is true if ca/pshare is true, the thief did not have the 
right initially, and no owner of the right in the initial graph gave it away. It can be shown [17]: 

Theorem 4. The predicate carpsteal(a, x, y, Gq) is true if and only if all of the following hold: 

(4.1) there is no edge labelled a from x to y in Gq; 

(4.2) there exists a subject vertex x' such that x' = xorx' initially spans to x; 

(4.3) there is a vertex s with an edge from s to y labelled a in G$ 

(4.4) catpshareif , s, Gq) is true. 

The de facto rules differ from the de jure rules in that they do not alter the authorities in the 
graph; they merely record patterns of information flow, so we cannot use an explicit edge to show 
the result of the application. Still, some indication of the paths along which information can be 
passed is necessary so we use a dashed line, labelled by r, to represent the path of a potential de 
facto transfer. Such an edge is called an implicit edge. Notice that implicit edges cannot be manip- 
ulated by de jure rules, since the de jure rules can only affect authorities recorded in the protection 
system, and implicit edges do not represent such authority. 

The following set of de facto rules was introduced in [4] to model the transfer of informa- 
tion: 

post: Let x, y, and z be three distinct vertices in a protection graph Gq, and let x and z be subjects. 

Let there be an (implicit or explicit) edge from x to y labelled a with re a and an edge 
from z to y labelled |3, where we f). Then the post rule defines a new graph G\ with an 

implicit edge from x to z labelled r. Graphically, 

r 


x y z 


w 


h 



The rule is written “z posts to x through y,” and is so named because it is reminiscent of y 
being a mailbox to which z posts a letter that x reads. 

pass : Let x, y, and z be three distinct vertices in a protection graph Gq, and let y be a subject Let 
there be an edge from y to x labelled a with we a and an (implicit or explicit) edge from 
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y to z labelled j3, where re (J. Then the pass rule defines a new graph G\ with an implicit 
edge from x to z labelled r. Graphically, 


r 



The rule is written “y passes from z to x,” and is so named because y acquires the informa- 
tion from z and passes it on to x. 

spy: Let x, y, and z be three distinct vertices in a protection graph Gq, and let x and y be subjects. 

Let there be an (implicit or explicit) edge from x to y labelled a with re a and an (implicit 
or explicit) edge from y to z labelled (3, where re (3. Then the spy rule defines a new graph 
G\ with an implicit edge from x to z labelled r. Graphically, 



The rule is written “x spies on z using y,” and is so named because x is “looking over the 
shoulder” of y to monitor z. 

find: Let x, y, and z be three distinct vertices in a protection graph Gq, and let y and z be subjects. 

Let there be an edge from y to x labelled a with we a and an edge from z to y labelled (3, 
where w e |3. Then the spy rule defines a new graph Gj with an implicit edge from x to z 
labelled r. Graphically, 



The rule is written “x finds from z through y,” and is named because x is completely pas- 
sive; z and y give it information, which x then “finds.” 

Note that these rules add implicit and not explicit edges. Further, as these rules model in- 
formation flow, they can also be used when any edge labelled r is implicit. 

Definition. An rwtg-path is a nonempty sequence vq, .... v„ of distinct vertices such that for all i, 
0 £ i < n, v, is connected to v J+1 by an edge (in either direction) with a label containing t, g, r or w. 
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With each rwtg-path, associate one or more words over the alphabet { t, t, J, g, r, r, w, w} 
in the obvious way. 

Definition. A vertex \q rw-initially spans to v n if v 0 is a subject and there is an rwtg-path between 
v 0 and v„ with associated word in {r* w] u { v} . 

Definition. A vertex v 0 rw-terminalty spans to v n if vq is a subject and there is an rwtg-path between 
v 0 and v„ with associated word in { t* . 

Definition. A connection is an rwtg-path with vq and v„ both subjects and the path’s associated 
word in C = { t* r, wt* , t* rwi* } . 

Definition. The predicate can»know(x, y, Gq) is true if and only if there exists a sequence of pro- 
tection graphs Gq, . . G n such that Gq I -*G n , and in G n there is an edge from x to y labelled r or 
an edge from y to x labelled w, and if the edge is explicit, its source is a subject. 

In short, if x can obtain an implicit or explicit edge labelled r to y, then can*know(x, y, Gq) 
is true. The theorem establishing necessary and sufficient conditions for can*know to hold is [4]: 

Theorem 5. The predicate can»know(x, y, Gq) is true if and only if there exists a sequence of sub- 
jects U], ..., u n in Gq (n > 1) such that the following conditions hold: 

(5.1) uj = x or U} rw-initially spans to x; 

(5.2) u„ = y or u„ rw-terminally spans to y; 

(5.3) for all i, 1 <, i < n, there is an rwtg-path between u,- and u J+ j with associated word 
in B u C. 

We define an information analog to the can*steal predicate in which vertices with r rights 
over the target do not grant those rights to others nor participate in transfers of information. 

Definition. The predicate can»snoop(x, y, Gq) is true if and only if can*steal(r, x, y, Gq) is true or 
there is a sequence of graphs and rule applications Gq \~* G n for which all of the following hold: 

(a) there is no explicit edge from x to y labelled r in Gq; 

(b) there is an implicit edge from x to y labelled r in G n ; and 

(c) neither y nor any vertex directly connected to y is an actor in a grant rule or a de facto 
rule resulting in an (explicit or implicit) read edge with y as its target. 

Necessary and sufficient conditions for this predicate to hold are [3]: 
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Theorem 6. For distinct vertices x and y in a protection graph Gq with explicit edges only, the pred- 
icate can*snoop(x, y, Gq) is true if and only if can*steal(r, x, y, Gq) is true or all of the following 
conditions hold: 

(6. 1 ) there is no edge from x to y labelled r in Cq; 

(6.2) there is a subject vertex x such that x' = x or x' rw-inidally spans to x in Gq ; 

(6.3) there is a subject vertex y' such that y' * y , there is no edge labelled r from y' to y 
in Gq, and y' rw-terminally spans to y in Gq; and 

(6.4) can*know(x', y', Gq) is true. 

We now consider an alternate formulation of can* share that will aid us in applying the 
Take-Grant Protection Model to various security policies. 

3. Alternate Characterizations of can*share and can*know 

The simplicity of the statement for necessary and sufficient conditions for can* know leads 
one to wonder why equally straightforward conditions cannot be found for can* share. A moment’s 
reflection will lead to the following: 

Lemma 7. The predicate can*share(a, x, y, Gq) is true if and only if there is a vertex s€ Gq with an 
edge to y labelled a, and a sequence of subjects uj,. ,.,u n such that all of the following hold simul- 
taneously: 

(7.1) ll! = x or uj initially spans to x; 

(7.2) u n = s or u n terminally spans to s; and 

(7.3) there is a tg-path between u, and u J+ i for all i such that 1 < i < n. 

Proof: (=>) Assume can*share( a, x, y, Gq) is true. By (3.1), there is a vertex s € Gq with an edge 
to y labelled a; by (3.2), there is a vertex U] satisfying (7.1), and by (3.3) there is a vertex u„ sat- 
isfying (7.2). 

Consider now condition (3.4). Let by and e,- be the endpoints in /y of the bridges connecting 
islands /,_j with Ij and Ij with 7y + j, respectively. From theorem 1, we have x = b j and y" = e n . Now, 
let by = Zy 1 , .... zfi = ey be any path contained entirely in Ij. Then the members of the set 

{z/ll<y£n,l</<*y) 

are the vertices Uj, 1 < i < n, and (7.3) holds. 
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(<=) Now assume that there is a vertex s € G 0 with an edge to y labelled a, and a sequence of 
subjects .it* such that (7.1)-(7.3) hold. Then (3.1) holds by assumption, (3.2) by choosing x' 
= uj, and (3.3) holds by choosing s' = u„. 

Finally, note that vertices in the same island have a bridge of length 1 between them, so if 
u { and U; + i are directly connected, they belong to the same island, and if not (i.e., there are objects 
on the bridge connecting them), then they belong to different islands. In either case, let the set of 
islands in Gq be { /, } ; then the set of islands in (3.4) is merely the set 

{ Ij I 3 at least one k with u* € Ij } 

This proves condition (3.4), and the lemma. ■ 

Intuitively, the lemma holds because the islands are simply those parts of the tg-path be- 
tween U) and u R which consist of directly connected subjects. The advantage of this formulation is 
that one need not define the “islands” of the original theorem, and can instead consider simply tg- 
paths irrespective of maximal subject-only groupings just as in the test for can* know one need only 
consider rwtg paths and rw-terminal and rw-initial spans. So there is now a pleasing symmetry be- 
tween the necessary and sufficient conditions for sharing rights and sharing information. Of course. 

Corollary 8. Truth or falsity of the predicate can*share can be determined in time linear in the size 
of the graph. 

Given the symmetry between lemma 7 and the theorem for can*krtow, one would expect 
the latter could be reformulated along the lines of the theorem for can*share : 

Lemma 9. Let x and y be vertices in a protection graph Gq. Then can*know(x , y, Gq) is true if and 
only if can*share(r , x, y, Gq) is true or all of the following conditions hold: 

(9.1) there is a subject x' such that x' = x or x' rw-initially spans to x; 

(9.2) there is a subject y' such that y' = y or y' rw-terminally spans to y; 

(9.3) there is a sequence of islands Is, l^j^n, such that there is a bridge or connection from 
Ij to Ij+ j t 1 <tj<n, and x' e I\ and y' 6 

Proof: The proof is similar to that of lemma 7 and is left to the reader. I 

4. Modelling Specific Security Policies 

We now consider some security policies and how they might be modelled using the Take- 
grant Protection Model. Each of these policies is realistic in the sense that an existing computer 
system uses them or they have been described in the literature as appropriate under certain condi- 
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tions for an operational system. We first express the policy in terms of the predicates can* share, 
can* steal, can* know and can*snoop, and then ask whether the policy can be modelled using the 
rules of the Take-Grant Protection Model. If it cannot, we describe any necessary modifications to 
the rules and the effect of those modifications on the predicates. 

We shall explore the representation using two criteria. Let H be the set of protection graphs 
satisfying the security policy (we shall use subscripts to distinguish between H s representing dif- 
ferent policies). We shall require that the set of rules used to model the policy be sound with respect 
to H: 

Definition. A set of graph rewriting rules P is sound with respect to a set of protection graphs H if 
applying any finite sequence of elements of P to any element he H produces a graph h'e H. 

In addition, we shall examine the completeness of the rule set with respect to H and the set 
of original rules O = { take, grant, create, remove }: 

Definition. Let h,h'e H, and h\~* h' using the rules in O. Then if for some P cO, h\~* h' using 
only elements of P, the subset P is complete. 

Note that “subset” here includes restricting the rewriting rule in some way, such as not al- 
lowing creates to add take edges. 

4.1. Complete Isolation of Each Process 

The policy of total isolation of each process prevents breaches of security and solves the 
confinement problem by preventing any transfer of information or rights among subjects [13]. 

To prevent any information or rights transfer (illicit or otherwise) it suffices to make all four 
predicates always be false. Hence for this policy, H\ is the set of graphs with elements satisfying 

- -ycan*share(a,x,yji ) a -<can*steal(a,x,y,h) a -ican*know(x,y,h) a ->can*know(x,y,h) 
for all protection graphs h e H\, all pairs of vertices x and y in h, and all subsets of rights a £ R. 

To characterize this requirement in terms of the rules, note that by theorems 5 and 7, it suf- 
fices to prevent any bridges or connections between any two subjects to enforce this condition; in 
that case, both conditions (5.3) and (7.3) can never hold. Because the x and y referred to in the the- 
orems may be subjects, it is not possible to prevent conditions (5.1), (5.2), (7.1), and (7.2) a priori 
from occurring; hence the above constraint is also necessary. Thus, may be characterized in 
terms of Take-Grant rights by: 
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Requirement. To enforce complete isolation of subjects, no bridges or connections may exist be- 
tween any two subjects in the protection graph. 

Determining whether or not a protection graph meets this requirement is easy: just look for 
bridges or connections between subjects. So: 

Lemma 10. Testing a graph for violation of the restriction may be done in time linear in the number 
of edges of the graph. 

Also, when a new de jure rule is applied, we can test for violation of the restriction just by 
looking at the paths affected by the rule application; in the worst case, this requires checking every 
edge in the graph. So: 

Lemma 11 . Determining whether or not an application of a de jure rule violates the restriction may 
be done in time linear to the number of edges of the graph. 

This does not require any changes to the take or grant rules, since in a graph in which cre- 
ation is disallowed, bridges and connections may not be constructed unless they already exist. 
However, it does require changing the create rule, since if one subject creates another, the parent 
may give itself any rights in R to the child. Should one of these rights be take, grant, read, or write, 
there will be a bridge, connection, or both between the parent and the child. Hence to make the rules 
sound with respect to this set of protection graphs H\, the create rule must not allow any of those 
rights to be in the set of rights the parent has over its child: 

mcreate 0 modified create): Let x be any subject in a protection graph h, and let ac/?. The mod- 

ified create rule mcreate defines a new graph A 'by adding a new vertex y to the graph and 
an edge from x to y labelled a' such that if y is a subject, a' = a - { f, g, r, w } , and if y is 
an object, a' = a. 

To see the set P\ = { take, grant, mcreate, remove ) is sound with respect to //j, simply note 
bridges and connections cannot be added where they did not exist This set of rules is not complete 
with respect to O and H\, because using rules in O, one can derive a graph with two subjects that 
are not connected to each other having read rights over a single object (see figure 1), but one cannot 
obtain the same graph using the rules in P\ because at no time can the read right be transferred from 
one subject to another. These arguments can be made rigorous, and show: 

Lemma 12. Pj is sound with respect to H j, but not complete with respect to O and H\. 

As an aside, we note that if the policy is eased to allow sharing of rights between processes 
with the same ancestors (which would be reflected by modifying the requirement and the definition 
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Figure 1. Example of lack of completeness of P\ for a security policy of complete isolation. 

of the set Hi appropriately), the create rule need not be modified to produce a sound and complete 
set of rules. The complexity of testing for violations of the restriction is still linear in the size of the 
graph. 

However, this security policy is so restrictive as to be uninteresting, banning (among other 
things) any take, grant, read, or write edges, and most paths, between subjects. So let us turn to a 
slightly less restrictive, and more interesting, policy. 

4.2. Limited Sharing: Owner Controls Dissemination of Rights and Information 

In some access control systems, the rights to manipulate files or data is under the control of 
the owner of that data. For example, in the Unix® operating system [16], the owner of a file con- 
trols who may access it. So this policy allows sharing of rights and information with consent of the 
owners of that information. 

We must at this point define ownership. Two definitions are possible; one, more common 
in database work, holds that possession of a right is “ownership” of some kind. The second, more 
common to operating systems, defines ownership as a separate right. We examine both here. 

4.2.1. Ownership Conferred by Possession of a Right 

This definition, used for example in System R [9], creates a system in which mere posses- 
sion of a right enables a subject to propagate that right. Hence for this policy and definition, H^ is 
the set of graphs with elements satisfying 

cWshare(a,x,y,h) a -ycan*steal(a,x,y,h) a can*know(x,y,h) a ->cWsnoop(x,y,h) 
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for all protection graphs h e Hj, all pairs of vertices x and y in A, and all subsets of rights aQR. 
The reasoning is that any two subjects must be able to share rights or information, but no set of 
subjects can steal rights or information without the consent of the owner. To satisfy the first two 
predicates, the owner must cooperate in any transfer of rights; to satisfy the latter two, the owner 
must cooperate in any sharing of information. We also note that any pair of subjects can share rights 
or information by the construction of this condition. 

For can*share(aji,y,h) to be true but can •steal(a,x,yji) to be false, condition (4.4) must 
be false since negating any of conditions (4. l)-(4.3) negates either of conditions (3. 1 ) or (3.2), mak- 
ing can*share(CL,x,y,h) false. For (4.4) to be false, by lemma 7 either there must be no tg-paths be- 
tween any two subjects or no take edges incident upon any subject We note that the former again 
renders can*share{CL,x,y,h) false, and that the latter renders can*snoop{x,y,h) false (as all rw-ter- 
minal spans will have length 1, so condition (6.3) fails) without also negating can*know(x,y,h)- 
Clearly, the latter characterization of Hj is best: 

Requirement. To implement the above policy, no take edges may be incident upon any subject. 

Obviously, testing for this condition is simple, as is testing for a violation when a de jure 
rule is applied: 

Lemma 13. Testing a graph for a violation of the restriction may be done in time linear in the num- 
ber of edges in the graph. Further, determining whether or not an application of a de jure rule vio- 
lates the restriction may be done in constant time. 

The obvious way to prevent creation of take edges is to make the appropriate modification 
to the mcreate rale described in the previous section (call the new create rule ncreate, and the rule 
set P2i)- The argument for soundness is almost identical to the one for mcreate. And the argument 
for completeness fails also. To see why, notice that the grant rule does not add any edges to the 
source of the edge labelled grant. Hence, lemma 2 cannot hold (in fact, the proof that it is true using 
the set O of original Take-Grant Protection Model rules requires the use of a take rule). Now con- 
sider a graph h in // 2 . As there are no take edges, the only take edges that could be added using the 
rules in O would be to new vertices. If those vertices are subjects, any subsequent manipulation of 
those rights would require an application of lemma 2, which is false given the replacement of the 
create rule by the ncreate rule. Hence: 

Lemma 14. P 2 i is sound but not complete with respect to O and 
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Figure 2. Proof of lemma 2 using the rule set P 22 - { take, grant, nmcreate, remove ) . 

A simple way to make the new rule set P 21 complete as well as sound is to change ncreate 
to require the creation of grant edges to every existing subject when a new subject is created: 

nmcreate ( new modified create): Let x be any subject in a protection graph h, and let aCR. The 

modified create rule mcreate defines a new graph h ' by adding a new vertex y to the graph 
and an edge from x to y labelled a' such that if y is a subject, a' = a - { t } , and if y is an 
object, a' = a. Also, if y is a subject, edges labeled { g } are added from y to each subject 
vertex in h. 

Using the rule set P 22 - ( take, grant, nmcreate, remove ), creating a new vertex would 
add an incoming grant edge to the parent, in which case the proof of lemma 2 is straightforward 
(see figure 2). Then the argument for completeness goes as before, except that as lemma 2 is true, 
the transfer of any rights from a newly created subject to the parent using take can be emulated by 
the child granting the parent the rights. If the child is an object, of course, the issue never arises 
since the only way a right can be added to the child is by the parent granting the right, in which 
case application of the take rule is redundant and can be eliminated. This can be made formal, and 
shows: 
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Lemma 15. P 22 > s both sound and complete with respect to 0 and 
4.2.2. Ownership As a Right 

Using this definition, ownership is itself a right and only the owner may distribute rights. 
This version is similar to the propagation prevention mechanism such as HYDRA’s environmental 
rights mechanism [5],[11] and, at least in operating systems, is more common than an uncon- 
strained ability to transmit rights. 

First, note that the rules for the Take-Grant Protection Model fail to capture the system’s 
distinction between owning an object and owning a right to an object The simplest incorporation 
of this distinction is a modification of the grant rule.Define a new ownership right o. Then: 

mgrant (modified grant rule): Let x, y, and z be three distinct vertices in a protection graph Gq, 
and let x be a subject. Let there be an edge from x to y labelled y with g e y, an edge from 
x to z labelled p with 0 e p, and a c p with o € cl. Then the modified grant rule mgrant 
defines a new graph Gj by adding an edge to the protection graph from x to z labelled a. 

In short, no rights to an object may be granted unless the grantor has an o right to the object. 
Further, the o right cannot be granted. Let P 23 = ( take, mgrant, nmcreate, remove }. Then: 

Lemma 16. Given the set of rules P 23 , only the owner of a target can propagate a right to that target. 

Now, the set of graphs under consideration is still H 2 . But how does the change in the gram 
rule affect the restriction necessary to ensure that owners can share information or rights, but that 
those cannot be stolen or snooped? As both stealing and snooping may involve the propagation of 
rights, if neither is possible, then limiting the propagation of rights further will not enable either. 
In other words, the modified grant rule limits the spread of rights and so those predicates that are 
false in the original model will be false in the modified model. So the requirement for the uncon- 
strained case is at least sufficient 

To carry the analysis a bit deeper, a right can clearly be shared between the owner and any 
other subject since, by the statement of the security policy, all subjects have grant rights over one 
another. However, a simple construction will show that rights can be propagated between endpoints 
of bridges as well, but no further. Hence given the modified grant rule, can* share is true if and only 
if the number of subjects in condition (7.3) is 2. 

We note that the rule set P^i is sound since no take edges are added by any of the rules. 
Completeness follows from the same argument as before. Hence: 
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Lemma 17. 3 is both sound and complete with respect to 0 and Hj. 

4.3. Multilevel Security Policy 

Multilevel policies are quite common in existing systems (see for example [6], [16]). Here 
we generalize the results in [ 2 ] and extend them to include can* share, can* steal and can* snoop. 
Our policy is a generalization of the Bell-LaPadula model [1] in which a set U of rights may not 
extend from a lower to a higher level, and a set D of rights that may not extend from a higher to a 
lower level. We shall assume that r e U and w € D so that the simple security and ‘-properties hold. 

This policy associates with each subject and object a security level and a set of categories. 
Informally, a subject can access an object (in any way other than by using the rights in D) if the 
security level of that object is no greater than the level of the subject and the object’s set of catego- 
ries is a (possibly improper) subset of the subject’s categories; similarly, the subject can access an 
object (in any way other than by using the rights in U) if the security level of the object is no less 
than that of the subject and the object’s set of categories is a (possibly improper) subset of the sub- 
ject’s categories. Formally, define the functions s/(x) and cs(x) to be the security level and set of 
categories of the vertex x, respectively; then x dominates y (written x £ y) if both sl(x) £ sl(y) and 
cs(y) c cs(x), and x strictly dominates y (written x > y) if x ;> y and sl(x) * sl(y ) or cs(y) £ cs(x). 
(Following Gasser [7], we shall call the pair (s/(x), cs(x)) an access class.) 

We consider two types of systems: those with mandatory access controls only, and those 
with both mandatory and discretionary access controls. 

4.3.1. Mandatory Access Controls Only 

In a multilevel security policy with mandatory controls only, permission of the owner of 
rights to an object need not be acquired to obtain access to that object; if access can be granted ac- 
cording to the multilevel rules, it will be. This security policy may then be summarized by requiring 
the elements of // 31 to satisfy: 

[V8cD, vcU] x > y e=> ->can*share(8,x,y,h) a ->can*share(v,y,x,h) a can*know(x,y,h ) 

for all protection graphs h € // 31 , all pairs of vertices x and y in h, and all subsets of rights a C /?. 
This captures that if x strictly dominates y, x cannot o to y and y cannot 8 to x (where 0 and 8 are 
subsets of U and D, respectively) and that the owner need not consent to any transfers of informa- 
tion or rights (hence the omission of can*steal and can*snoop). 
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We extend the characterization of a similar (straightforward Bell-LaPadula) model in [2] to 
describe the class of protection graphs in H$\. Each set of nodes in a single access class is repre- 
sented as a protection level: 

Definition. A protection level is a set of subjects in a protection graph G such that, for every pair 
of vertices x and y in the set, can*share{a,x,y,G), can*share(a,yjt,G), can*know(x,y,G) and 
can*know(y,x,G) are true. 

This says that within a protection level (access class), all vertices can obtain any informa- 
tion or rights from any other vertex in that level. 

Definition. Two subject vertices x and y are said to be joined if can*know(x,y,G) is true, and 
can*know(y,x,G), can*share(x>,y,x,G), and can*share(8 t x,y,G) are false. 

It can be shown (along the lines of the proof of proposition 4.4 in [2]) that this relation de- 
fines a partial ordering; so, if the members of one access class dominate another, the members of 
the protection level representing the first access class are joined to the second, and we say the first 
protection level is higher than the second (or, the second is lower than the first). Intuitively, what 
the two definitions say is that within a protection level, any amount of sharing of information or 
rights is fine, but between protection levels, information may flow upward, and any sharing of 
rights that does not involve adding edges labelled with rights in U going from a lower protection 
level to a higher one, or edges labelled with rights in D going from a lower protection level to a 
higher. 

Given this representation, it can be shown that [2J: 

Requirement. To enforce a multilevel security policy of the sort described here, there can be no 
bridges or connections between protection levels. 

In essence, this forbids any transfer of information or rights between protection levels, 
which certainly satisfies the policy. It is also straightforward to prove: 

Lemma 18. Testing a graph for a violation of the restriction may be done in time linear in the num- 
ber of edges in the graph. Further, determining whether or not an application of a de jure rule vio- 
lates the restriction may be done in constant time. 

This representation is probably overly restrictive because it limits the sharing of rights other 
than those in U and D, and since the multilevel policy deals only with those rights, any represen- 
tation should deal only with them. In [2], three modifications to the rules in 0 are considered; we 
generalize the most interesting here: 
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mistake (multilevel secure take): Let x, y, and z be three distinct vertices in a protection graph 

Go, and let x be a subject Let there be an edge from x to y labelled y with t € y, an edge 
from y to z labelled 3, and a c (1. Then the multilevel secure take rule mistake defines a 
new graph G\ by adding an edge to the protection graph from x to z labelled a' such that 
if x > y, a' = a - D and if y > x, a' = a - U. 

mlsgrant (multilevel secure grant): Let x, y, and z be three distinct vertices in a protection graph 

Gq, and let x be a subject Let there be an edge from x to y labelled y with g e y, an edge 
from x to z labelled |3, and a C (J. Then the multilevel secure grant rule mlsgrant defines a 
new graph G\ by adding an edge to the protection graph from x to z labelled a' such that 
if x > y, a' = a - D and if y > x, a' = a - U. 

These rules simply modify the original take and grant rules to prevent adding edges with 
rights in U from a vertex in a lower protection level to a higher one, or edges with rights in D from 
a higher protection level to a lower one. If P 31 is the set of rules obtained by replacing the take and 
grant rules in O with the mistake and mlsgrant rules, it can be shown [ 2 ]: 

Lemma 19. P$\ is both sound and complete with respect to O and H^. 

4.3.2. Mandatory and Discretionary Access Controls 

In this case, first mandatory access controls determine if the desired access is allowed by 
the system; if it is, then the discretionary access controls determine if access is allowed by the own- 
er of the information. So, with this policy, in addition to the statement of mandatory access, a com- 
ponent for discretionary access must be included, and the elements in Hyi must satisfy: 

[[VScD, oCt/] x > y <=> ->can*share(5 y x y yji) a ->can*share(Xi,y y x,h) a can*know(x,y y h)] a 

->can*steal(a y y y x y h) a -<can*snoop(x y y,h) 

for all protection graphs h e all pairs of vertices x and y in h , and all subsets of rights ac/?. 
In addition to the limits discussed in the mandatory-only case, this formula also captures that the 
owner must consent to any transfers of information or rights by the inclusion of can* steal and 
can* snoop. 

We now redefine protection level and joined to disallow stealing and snooping in the obvi- 
ous way. Then in addition to their being no bridges or connections between protection levels, there 
can also be no take edges incident upon subjects by the reasoning in section 4.2.1. Hence: 
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Requirement. To enforce a multilevel security policy involving both mandatory and discretionary 
access controls, there must be no take edges incident upon subjects, new any bridges or connections 
between protection levels. 

Clearly, violations can be tested in time linear in the number of edges of the graph, and 
when a de jure rule is applied, examining the new edge will reveal violations. As before, this re- 
quirement, while effective, is quite restrictive. 

Let us add the right t to both sets U and D, and further alter the create rule to bar creation 
of any edge labelled t and add grant edges to all subjects in the new vertex’s protection level when 
the new vertex is a subject. (This is in the spirit of the nmcreate rule in section 4.2. 1 . However, here 
the “parents” are simply all vertices in the protection level.) Call die new create rule mis create. 
Then let P 32 - ( mlsgrant, mlscreate, remove } and remove the above requirement. What are the 
effects? If a graph h is in W32, applying those rules will generate a new graph h' also in // 32 , be- 
cause no stealing or snooping can be done (since the lack of take edges incident on subjects violates 
both conditions (4.4) and (6.3), so by theorems 4 and 6, those predicates can never hold), and clear- 
ly no edges with labels in U can be added from a lower protection level to a higher, and no edges 
with labels in D can be added from a higher protection level to a lower; so this set of rules is sound 
with respect to Next, notice that since no take edges are present, the take rule could never be 
applied, and further if the ordinary create rale were used, the mlscreate rale could be simulated by 
having the creator at once grant g rights over all vertices in the protection level to the newly created 
subject. Hence P32 is complete. This can be formalized to show: 

Lemma 20. Pyi is both sound and complete with respect to O and // 32 - 
4.4. Tree-Based Hierarchies 

A tree hierarchy is a set of entities arranged in a tree structure. We shall use the term tree- 
based hierarchy to refer to a structure derived from a tree hierarchy. An ancestor of vertex x is a 
vertex which can acquire a right from x with or without x’s cooperation. The level of x is the length 
of the shortest path to the root containing only the ancestors of x and x itself. Define a common 
ancestor of vertices x and y to be the set of vertices which are ancestors to both x and y. We then 
consider a security policy that allows vertex x to share rights or information with vertex y if and 
only if a co mmo n ancestor allows the sharing. We specifically consider those hierarchies which are 
initially trees, but may degenerate into directed graphs. 
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This policy is a generalization of one discussed in [18]; protocols to implement it were dis- 
cussed in [21], and similar, less general policies are the basis for many protection schema (for ex- 
ample, for the Unix® operating system, the tree level is 2, with the superuser being the root vertex 
and all users being the nodes to which the root is ancestor). The focus of this discussion is more 
fundamental: what is the specific policy being enforced, and how should the rules in O be modified 
to prevent breaches of security? 

Define anc(xi,...,x n ) to be the set of common ancestors of Xj, ..., x„. Then for this policy, 
H a is the set of graphs satisfying: 

[can*share(aji,yji) => [3 ze anc(x,y) [can*share(o^z,y,h) a can*share(g,zj.,h)]]] a 
[can*knowix,y,h) =* [3 ze anc(x,y) [can*know{z,y,h) a can*know(x,z,h)\W a 
[ V ze anc(x) [—can*snoop(xj.,h) a ->can*steal(t,x,z,h)]] 

for all protection graphs h e H A , all pairs of vertices x and y in h, and all subsets of rights at/?. 
In intuitive terms, this says simply that no vertex may steal or snoop an ancestor, and that if two 
vertices can share rights or information, one of their common ancestors must have assisted in that 
sharing. 

To characterize such a graph in Take-Grant terms, first note that while each ancestor may 
have both take and grant authority over its descendents, no vertex may have take authority over any 
ancestor. (Hence the definition of ancestor of a vertex x ay be characterized succinctly as the set of 
vertices lying on any path from the root to x with associated word in '* .) We then note that 
can*steal(a,x,y,h) is true only if some vertex z has a rights over y, and a common ancestor of x 
and z participates in the theft, the former condition being required by condition (4.3), and the latter 
following by the common ancestors being foci of access sets which connect that part of the con- 
spiracy graph associated with h containing x with that part containing y [20]. Further, both those 
conditions enable one to exhibit a witness to can*steal(aji t yji); hence. 

Lemma 21. can*steal(a,x,y,G) is true if and only if there exists a vertex z with a rights over y in 
G, and a common ancestor of x and z applies one (or more) rules instantiating the theft. 

A similar result holds for can* snoop: 

Lemma 22. can*snoop(x,y,G) is true if and only if there exists a vertex z which rw-terminally spans 
to y in G but does not have r rights over y in G, and a common ancestor of x and z applies one (or 
more) rules instantiating the snooping. 
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Figure 3. Lack of soundness of O under a tree-based hierarchical security policy. 
Unfortunately, a very quick construction shows that O is not sound with respect to // 4 (see 
figure 3). Hence, to enforce soundness, the rules must be modified. The most obvious modification 
follows from the previous section; since in essence this is a hierarchy, simply restrict the applica- 
tion of the take and grant rules so that no take edges may be added going up: 

tbhtake ( tree-based hierarchical take): Let x, y, and z be three distinct vertices in a protection 
graph Go, and let x be a subject. Let there be an edge from x to y labelled y with t € y, an 
edge from y to z labelled (3, and acp. The tree-based hierarchical take rule tbhtake defines 
a new graph G\ by adding an edge to the protection graph from x to z labelled a' such that 
ify € anc(x, y), a' = a - { t }. 


tbhgrant (tree-based hierarchical grant): Let x, y, and z be three distinct vertices in a protection 
graph G 0 , and let x be a subject. Let there be an edge from x to y labelled y with g e y, an 
edge from x to z labelled (3, and ac (i. Then the tree-based hierarchical grant rule tbhgrant 
defines a new graph G\ by adding an edge to the protection graph from x to z labelled a' 
such that, if y € anc(x, y), a' = a - { t } . 


Now, as no take edges ever extend from a vertex to an ancestor, both snooping and thieving 
are impossible unless an ancestor common to the source and target cooperates. Unfortunately, com- 
pleteness no longer holds since take edges from a vertex to an ancestor can no longer be emulated 
with the new rules, as lemma 2 fails for the reasons given in section 4.2.1. So to ensure complete- 
ness, a modified create rule similar to the nmcreate rule must be used: 


tbhcreate ( tree-based hierarchical create): Let x be any subject in a protection graph h, and let a 

G R. The tree-based hierarchical create rule tbhcreate defines a new graph h ' by adding a 
new vertex y to the graph and an edge from x to y labelled a' such that, if y is a subject. 
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then a' = a - { t }, and if y is an object, a' = a. Also, if y is a subject, edges labeled { g } 
are added from y to each subject vertex in anciy). 

The proof of completeness now follows, so letting P 4 = { tbhtake, tbh grant, tbhcreate, remove }: 
Lemma 23. P 4 is both sound and complete with respect to O and H 4 . 

5. Conclusion 

The ability to represent useful security policies shows that the Take-Grant Protection Mod- 
el may prove to be not only a theoretical tool for studying some ramifications of the safety question, 
but also a powerful, practical model that can be used to study abstract representations of real sys- 
tems for safety (or methods that could be used to leak information or rights). This paper has pro- 
vided several such representations. Of course, other methods of abstraction could have been used. 

As an example, the four basic rules (take, grant, create, remove) could have been bound to- 
gether to form protocols , and subjects required to apply rules only by executing one (or more) of 
those protocols. Rather than employ this strategy to ensure soundness, as Snyder [18] and Wu [21] 
have done, we have considered modifications to the take-grant graph rewriting rules. This has two 
effects. 

A protocol strategy first implies that all subjects will use the primitive operations only 
through the protocols, and that they can be trusted not to call on the primitive operations directly. 
For example, in figure 3, Wu’s protocols assume that no ancestor will grant take rights in the way 
that was done there. Given such an assumption (that all subjects are, in that sense at least, honest), 
a protocol strategy works well. However, it ignores the possibilities of theft and snooping. When 
those are considered, it becomes clear that the “protocols” must be the “primitive operations” to 
ensure that the subjects only use them to alter the graph. 

Secondly, the graph rewriting rules presented here are far more general than the protocols 
used by Wu. As an example, in her analysis of the tree-based hierarchical security policy, there is 
an implicit assumption that if a subject wants a right from another node which is not a descendent, 
a common ancestor must initiate the transfer. In this analysis, we make no such assumption; the 
vertex may, in effect, “request” the ancestor transfer the right by initiating a transfer. However, to 
complete the transfer, the ancestor must apply one (or more) rules. The difference is that between 
initiation and cooperation. 
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Much work remains before the Take-Grant Protection Model can be used in practise. For 
example, many systems treat rights reflexively (that is, a subject can take or grant itself rights, as 
well as read itself).The Take-Grant Protection Model does not But as Snyder has pointed out, re- 
flexivity “probably is not fundamental to the Take-Grant Model in the first place,” ([19], p. 179) 
and it has some benefits when making an abstraction of an existing system. When one models a 
“process,” one may actually be modelling several entities: the process thread itself, the process 
control block (if the process can read or alter it directly), those portions of memory in which vari- 
ables are stored (for processes which do not read or write anything are useless, unless one is con- 
sidering the problem of covert channels, a subject well beyond the scope of this paper), and files. 
Each of these should be considered as separate entities, because each interacts with the execution 
of the process in a different way; and the lack of reflexivity in Take-Grant encourages such a divi- 
sion. This suggests that in the application of a formal model like Take-Grant, irreflexivity may ben- 
efit the modelling process. Analysis of a reflexive Take-Grant Protection Model would help 
determine if this intuition is correct, or when a reflexive system should be used. 

We have modified many of the Take-Grant graph rewriting rules to capture compliance with 
a security policy. Part of the reason for this was to ensure the theorems stating necessary and suf- 
ficient conditions for can* share, can*know, can* steal and can*snoop held. However, it might be 
possible to produce “meta-theorems” which, for a given rule set, produce conditions under which 
those four predicates hold. Such meta-theorems would almost be a necessity for any realistic use 
of the Take-Grant Protection Model in systems analysis, since no two systems will have the same 
rule sets. This issue requires much further work. 

Finally, most computer systems have some concept of “group.” Incorporating such a notion 
into the Take-Grant Model would be invaluable towards its practical application. 
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